00:01
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:10
Welcome to CyberSound. I'm your host, Jason Pufahl, joined by Michael Grande,
Michael Grande 00:15
Great to be here!
Jason Pufahl 00:16
And, you found our special guest today, so we have Chris Taft from Fanatics, Chief Accounting Officer, it's nice to meet you, it's nice to have you here, thanks for joining Chris.
Chris Taft 00:24
Nah, pleasure's all mine guys, really appreciate the time.
Michael Grande 00:27
So I've known Chris for a very long time, I've had the pleasure of not only knowing him, sort of through school and college and well beyond. But he's had a very interesting career in the public accounting space, and now in private organizations, and he brings a really great flavor, I think, to something that we talk a lot about. And it's about perspective, right, and the different perspectives that different companies have and different individuals have when it comes to cybersecurity. So, Chris, if you want to start us off, maybe talk about your background, a little bit some of your experiences, and maybe the intersections with cyber and technology services and concerns along the way.
Chris Taft 01:07
Yeah, sure. No, great, appreciate the time, again, great to be here. You know, typical accounting background, accounting degree at a college, been doing it for over 20 years now, started in audit, like most CPAs do with big firm Pricewaterhouse Coopers, then I worked at GE when their global headquarters was in Connecticut, was there just shy of a decade predominantly controllership financial reporting roles. Left GE, went for to a company called Nielsen Holdings PLC, I'm sure people have heard of Nielsen TV ratings, was in accounting, some FPNA there. And I think that's where I really got into the intersection with IT and infosecurity, when I was a Chief Accounting Officer at Nielsen, you know, we had, you know, an InfoSec committee, so to speak, and that was when things were really starting to get heated around in the space and more board involvement. And so, as the Chief Accounting Officer and Controller, you know, focusing on internal controls, got a lot involved in it a lot. In big to big companies, Nielsen is obviously an important, important part of risk management. And then now I'm at Fanatics, which is a private company. So I've switched from being mostly involved in public SEC registrants, to, to private companies. And and look, I think, from a from a, from a perspective, I mean, we try to hold ourselves, we want to be a great company, right? Not just what do private companies do, or public companies do? Like what do great companies do, and particularly around infosecurity, giving the importance, you know, what our crown jewels are in terms of our business, whatever your businesses and making sure that you're, you're always focused on it. You see it in the news every, every day, there are breaches, people are trying to get in, there's a lot of bad actors. And I think having the intersections across the business, so it's not just IT led, you've got finance involvement, you got legal involvement, you've got more operational involvement from the business. I think bringing that all together is certainly the best approach no matter if you're public or private, but particularly for public companies.
Jason Pufahl 03:01
So if you don't mind spend a minute or two on what Fanatics does, because I think we're entering a season where it's probably really, really relevant for you. I mean, I guess sports always is right, but.
Chris Taft 03:12
Yeah, sure. So Fanatics, we're building a digital sports platform for the fan, right? So the fans gonna be able to buy, collect, and bet that when I say buy, it's particularly at our Fanatics.com website, merchandise, apparel, your favorite team. UConn? I know you're a big UConn fan. Sorry about the loss night. Providence? We're Providence alums so we can go on and buy Providence gear. Yeah. Let's hope you get in the tournament at all, I guess.
Michael Grande 03:35
Good point.
Chris Taft 03:37
Alright, settle down. Coming March 8, I think we should talk about that one.
Jason Pufahl 03:41
We're bringing out the guns today.
Chris Taft 03:43
That's right. I love it, I love it. So that's buy, collect. So trading cards, we acquired Tops at the end of 2021. So we're kind of expanding outside of just, you know, sports trading cards, but other cultural revelant trading cards. So trading cards, when I say collect, we also have memorabilia, autographs, you know, signed pictures, signed jerseys and alike. And then bet, we just launched the beginning of 2023. You know, Fanatics Sportsbooks, so we have retail locations. There's some in Connecticut. And there's also, you know, a great app, the Fanatic's SportsBook app, so buy bet collect is what we call it. And so like, yeah, it's all about the sports fan. And really trying to bring that one ecosystem to the fan every day is what we're focused on.
Jason Pufahl 04:22
So certainly sports, you know, there's big events all the time, and we just came out of the Super Bowl, that we'll be posting this podcast I think, the week that March Madness starts, right. I always talk about sort of the seasonality of phishing, we always see an uptick, tax season, Christmas, right. There's all these events that typically result in more phishing. I'm expecting there to be an uptick during something like a Super Bowl or something like a, you know, NCAA tournament. I guess, give me a little sense of maybe how you, how you might be planning for that. I think we'd probably worth talking a little bit about types of phishing scams we might see.
Chris Taft 05:01
Yeah, I mean, look, I think it's no matter where you work, right? Those are these are events that are, you know, sort of national events, right? The Superbowl being a big one, the Monday after the Superbowl is always a day where people kind of, you know, don't show up to work the next day, they will promote,
Jason Pufahl 05:14
Should be a holiday.
Chris Taft 05:15
It should be holiday. Yeah, I agree. You know, but you got people working remotely. And if they're not smart enough to VPN in, you could have some issues there, where there's more vulnerabilities, and then March Madness, everyone's you know, doing bracketology, and all those things. And I think, you know, it's just another area where we really just got to focus on the employee, right, I read somewhere, it's like 75% of breaches, are through employees email. And we get spam and phishing, you know, every day, some of us and I think, making sure we're training, you know, our people to be ready for and to be vigilant to look out for things that just don't look, right. There's obviously, you know, software and technology that you guys are more experts at than me in terms of how to block it before it gets the employee, but things get through, and making sure that you don't have an employee that makes that mistake and clicks on something that, you know, thinks nothing of it, doesn't tell anybody, and then six months later, a bad actors in and, you know, you find out the hard way. So I think, you know, it's a good opportunity to really reinforce the education around watching out for those things, because to your point, it's a certainly a high volume time.
Michael Grande 06:16
And I'm sure a lot of social engineering and people sort of captive, I don't remember the stat. But during those first several days of March Madness, the amount of sort of bandwidth consumed by just streaming games and watching games and looking for score updates, you know, productivity levels, pretty much tank, right. So, you know, as you said, sort of bad actors have have an open open playground, right to go after and, and sort of dupe unsuspecting folks, you know, in a lot of negative ways.
Jason Pufahl 06:47
Yeah. I mean, it's a captive audience. And everybody's excited. So it's easy. Everybody's excited and there's a lot of data out there, right. So it's trivial for a hacker to say, listen, I'm gonna send Michael an email that makes it look like he has an opportunity to buy PC gear, because his eyes are on PC, right?And these things work, and they're just trying to get you to click, they're just trying to get you to, you know, typically provide credentials. But there's other there's other scams out there. These events, I mean, they're, they're, they're ripe for phishing. So, Chris, when we were talking earlier, it sounds like Fanatics has a pretty rigorous trent sort of internal training program to help prevent things internally. I'm curious if you want to touch on that for a minute.
Chris Taft 07:30
Yeah, I mean, I think, you know, the last three companies I've worked at, we've had, you know, the training and the, you know, the sort of repeat training, because that's the key is right, you can't just be a one once a year exercise. And I think what, what I've seen more in the space, you know, not just at Fanatics, but just talking with some peers is just the sophistication of these emails, right, just to your point using social engineering to identify that I'm a PC alum, because they looked at my LinkedIn. So it can make it look like it come from Providence.edu. And if I'm not paying attention, it says like, edq. Yeah, those are things that like the sophistication is, is really high. And I'll give an example. Like, one of the ones, you know, I saw in the past was, it was budget season, right? So the end of the year, favorite time of the year, every time. I know Mike probably hounds you right, Jason? And so, there was so basically what it was was your direct manager and email came directly from them. It looked like their email, there was a link to an Excel file that said like your name, so it just said like TAFT budget, and an email box, it says, hey, could you please review, I think this is what we discussed. And looks pretty sophisticated, right? The only reason I knew at the time, not that it was that of this game is because my boss never sends links to anything. He would send me the Excel file directly. And so I knew he didn't actually know how to do that. But just again, but that's it, I think our we had a huge failure rate that year, that putting that quarter for that test. So I think not just doing the simple ones that are obvious, but like trying to make it sophisticated, just like the bad actors are getting more sophisticated. It just the level of you know, the level fields is getting higher and higher.
Jason Pufahl 09:03
One of the discussions we've had now is certainly there's a lot of money in in these activities. They're hiring native English speakers to craft emails, and it's even easier now with AI they can, you can literally just say write me a phishing email, include this type of link, and you're off and running.
Michael Grande 09:21
Chris, would you say, I mean, the beautiful part about sports I think this is probably the slowest time of the year from a sports perspective. You got some of the major sports going on, but a little bit of a lull post Super Bowl, but you know is is do you see just activity spikes it during seasons, you know certain seasons March Madness, Super Bowl, playoffs in different sports and things or is it pretty consistent high level and your guards are always up?
Chris Taft 09:50
Look I'd say the guards are always up but yeah, there's certainly seasonality to it. I mean, if you think about you know, in our merchandising business in particular, like you know, we call peak season right so Black Friday through you know, Christmas Eve is the biggest shopping, you know, time volume wise for all retailers in e-commerce site. So that volume being so high every day definitely raises the bar because it may mean that something doesn't get caught that should have. Right. And so I think always having that level of that lens on things, it's so important that like, it's sort of defang that time, if you're always focused on it. Right? You define it from that peak time. So that, again, people are always ready and vigilant by by far, that is the busiest time of the year for us,
Michael Grande 10:31
You know, what are the other areas that I think would be important maybe to touch on, you've got some good experience in this is, you know, we meet our sort of primary client size is that sort of mid-market type company? You know, we're dealing with boards on a somewhat regular basis, but not not all the time, maybe the sophistication of the delivery of information now that you see to board level, and sort of what the onus is now, from a board perspective, might be helpful to share.
Chris Taft 11:03
Yeah, sure. And look, I think, the stakes got raised even higher recently, the Securities and Exchange Commission, the SEC, just a new rule that they launched, that began December 15, where public companies, if they have a breach and is determined to be a material breach, have four business days to file, what they call an AK Occur report with the SEC, which is a public document that anybody can go on and see. And so having that means, you have to have process and you have to have governance, and you have to have the ability to get the information and to process it really quickly. And so, you know, for the past, I'd say, you know, decade or so, and in my roles in public companies, and in dealing with boards and audit committees, we've just been like the communication and the level information to the board, the audit committee just keeps rising. And so it would go from like a once a year, sort of cyber InfoSec, review to monthly letters from the CISO. Like, here's where we are on this, here's what's happening, here's what's going on in the industry, because that's, that's where we're at. And it's only going to continue to get elevated with this new rule. Because in addition to filing that report, if you have a breach, you have to annually file, you know, disclosures around, what's your risk management? What's your strategy? What's the board oversight, what expertise of the board have around cyber, so it's just raising the stakes in terms of ensuring that you've got that capability? You've got legal involved, there's gonna be external counsel involved? And I think for me, the hardest part about this one is it's a, determining materiality. Because if it's not a straight dollar, not that, you know, there's a lot of qualitative stuff that you got to factor in, like, is it IP? Is their brand reputation? Am I gonna get sued, like, in four days, you got to try to figure all that out, right, to some extent. And then when you're disclosing these breaches, and you're disclosing these, these practices in the policies that you have, like, you don't wanna give a roadmap to a bad actor of like, oh, they're vulnerable here, so let's go there. So there's a little bit of give and take there with, you got to comply with the rule, right? Because you don't want to a letter from the SEC. But you also don't want to be like open kimono with every bad actor of like, hey, come get me over here, because I'm exposed. So I think that's going to be interesting. And I've been, I've been starting to read some of them as they come out, just to kind of get ahead of it and understand how far people are going. But I think that's going to be one there'll be a lot of debate about as these are filed, and people are reading them. And there's subsequent events after that.
Jason Pufahl 13:21
So it's interesting, though. So you're saying there's an annual requirement to provide essentially the state of your security program, regardless of whether you've had an incident or a breach?
Chris Taft 13:31
That's right. Exactly. And so I think that's the, again, that's the give and take of you want to comply, but you don't want to give too much.
Jason Pufahl 13:38
Do they, out of curiosity, is there a specific format that they require the information in? Is that up to you, essentially, you as the submitter?
Chris Taft 13:47
Yeah. I mean, it's up to the preparer, I think, look, a fair amount of that will be boilerplate like, typically what happens with these is like the first company to file everybody looks at and you work with outside counsel to make sure that you're again, you're complying, but you're not. You don't want to give too much in an area that's sensitive. You know, it's tough, but I think, look, they're not, I mean, it depends on when the year end of the company is for calendar, they won't be filed until you know, a year from now. But it's gonna be interesting to see like how far folks go and it'd be more fun to follow when there are breaches like, how what does that disclosure look like? And then other follow ons if what they initially thought got worse, right? That's the other thing too is you filed the initial one, but you don't know everything in four days. And all of a sudden, it's a bigger issue, you got to file an amended AK and, you know, things can get really bad.
Michael Grande 14:32
So, and sort of as we wind down here, I've got a question. And it's sort of it's not necessarily just about your experience today. Maybe it's looking back over the last, you know, 10/15/20 years that you've been, you know, in the marketplace. Obviously, the growth in spending of organizations from a defense perspective against cyber threats and internal technologies and just if you could spend a minute maybe just talking gets through without specifics, that would I would assume as meteoric growth for budget considerations when it comes to those areas?
Chris Taft 15:09
Yeah look, I'll say in the past 15 years, right? It's obviously getting more and more, but not only is it getting more and more investment in it, but it's at the board level, right? These conversations are at the board level of like, hey, we need to spend as much money for coming to you, you know, for approval, because it's more than we would typically want to spend. And here's why we think we should do it. It's always a balancing act. Right. But I think it's, it's, it's so important. It's like, you know, they say, like, like insurance, you spend a lot of money on insurance for a reason, like, this can be even worse, if you have an attack, particularly if you've got like crown jewels that you got to protect, like, I mean, this is stuff that, you know, there's math behind it for the finance people to figure out whether or not it's worth it. But I think regardless, you're gonna see the level of spend continue, particularly now with like AI. And what does that bring? I mean, I think it's an area that's really exciting, right? Yeah. Everybody wants is excited about it. But again, as I sit back as like the, you know, the controls person in the background, it's it's like, okay, let's slow down a little bit on this to make sure I mean, we can understand all the impacts before we go go too far. Yeah, for sure. And like, I'd say, just one last thing on sort of, like board involvement, involvement with senior leaders of the company, I think the best exercise, and I've done three of these now is like, you know, sort of a mock breach, tabletop, and a mock tabletop exercise. Like, you get everybody in the room, you block your calendars for three or four hours. And you I mean, you make there's companies that obviously do this for you, but like, you make it as real as possible. And I mean, you really find out like, okay, we gotta get better here, we gotta get better here, this worked well. But that's really where you get to see it. And we did it all the way up to the board level that one of the companies I worked at, and it was really interesting to see, you know, how it worked, and what we really need to focus on to get better.
Jason Pufahl 16:52
Yeah, so we definitely do a fair amount of tabletops with clients. And some of them will actually include counsel to, you know, sort of encapsulate these in privilege. The effective ones absolutely are executive level participation, right. I mean, there's some some companies that want to have only IT do it, I'd say any tabletop is better than no tabletop, but the more senior the people you can get involved, the better your outcomes going to be. And frankly, without doing those, hitting those four day time requirements is basically impossible. You need to have some practice, right?
Chris Taft 17:23
Yeah, exactly. And I talk to a company that I use in a product company that that doesn't even I had a conversation with the, you know, one of the reps, and he's a yeah, they've now incorporated the the four day timeline and how to think through that and what's required. And so it's it's definitely raising the bar for sure.
Jason Pufahl 17:38
Yeah, it's great. And it's great. I think that the boards are paying attention. I've done my share of board presentations, you know, 10 years ago, there'd be a lot of time on cell phones and people ignoring it. And that it's years went by there's a lot more attention spent, which I think is finally appropriate. So I mean, I think, you know, kind of ending on that SEC part, it's probably appropriate. You know, we sort of talked a little bit about seasonality broken down into some of the risks are and then ultimately, if something happens, you've got to report. So I appreciate I appreciate you come in sharing some of that perspective for what you do at Fanatics. Talking a little bit about the SEC Rule, because we actually haven't done that too much.
Michael Grande 18:16
Yeah, that's new.
Jason Pufahl 18:17
I wish both of you luck in the tournament.
Chris Taft 18:22
Should we like, you know, let's make our call now. Because if this was coming out before March Madness. I mean, like, let's see, we go back in time,
Michael Grande 18:28
From our perspective, I don't know there's going to be a doubt about UConn getting a one seed.
Jason Pufahl 18:33
They did get killed.
Michael Grande 18:35
I just hope we make the field of 68.
Jason Pufahl 18:38
I mean, I think you will. And,
Chris Taft 18:42
It's all about the Big East tournament, Mike.
Jason Pufahl 18:44
Big East Tournament. Yeah. I mean, all the stats are what UConn hasn't hasn't won it, like 20 years or whatever. Yeah. I think this is their year, though. I mean, they're looking. I am curious to see if they can repeat, right. That's the big thing for UConn fans is they did it last year. Can they do it again? Boy, they seem like they could, I would, I would think they would. Clearly, they're, they're going into winner section of my bracket.
Michael Grande 19:07
Thanks so much, Chris. Really a pleasure to have you on and to join us and provide your perspective to what we're doing on a regular basis here.
Chris Taft 19:15
That was a pleasure. Great talking you guys.
Jason Pufahl 19:17
Thanks so much. Thanks for joining me. Well, thank you.
19:20
We'd love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn. And remember, stay vigilant, stay resilient. This has been CyberSound.